DB2 Problems

Welcome to Security Alerts, an overview of recent Unix and open source security
advisories. In this column, we look at problems in DB2, SHOUTcast, nasm, Vilistextum,
libtiff, wxGTK2, phpGroupWare, Vim, namazu2, and htmlheadline.

DB2 Problems

Several problems have been reported in IBM's DB2 database. These problems
include: the XMLFileFromVarchar and XMLFileFromClob functions can be used to
write files on the server; the XMLVarcharFromFile and XMLClobFromFile functions
can be used to read arbitrary files on the server; there are buffer overflow
vulnerabilities in the xmlvarcharfromfile, xmlclobfromfile, xmlfilefromvarchar
and xmlfilefromclob functions that can be exploited to execute arbitrary code
with the permissions of the user running DB2; the to_char and to_date functions
can be used in a denial-of-service attack that will cause DB2 to crash; if
DB2 is configured to use satellite administration, then the SATENCRYPT SQL function
is vulnerable to a buffer overflow; the JDBC Applet Server is vulnerable to
a buffer overflow that can be remotely exploited without authenticating to
DB2; there is a buffer overflow in the call and CREATE WRAPPERS functionality;
and there are buffer overflows in the libdb2.so.1 library and the db2fmp
utility that can both be exploited to execute arbitrary code with root permissions.

All of these vulnerabilities are reported to be repaired in the latest fixpaks
from IBM for DB2 7.x and 8.1.

SHOUTcast

SHOUTcast is a streaming audio server developed by Nullsoft. A bug in SHOUTcast
may be remotely exploitable to crash the server and possibly, execute arbitrary
code with the permissions of the user running SHOUTcast. Code to automate the
exploitation of this vulnerability has been released to the public.

Nullsoft strongly urges all users to upgrade to SHOUTcast DNAS 1.9.5 as soon
as possible.

nasm

The open source 80x86 assembler nasm is reported to contain a buffer overflow.
This buffer overflow can be exploited by an attacker who creates a carefully
crafted assembly source code file and then convinces the victim to assemble
it.

Affected users should watch their vendors for a repaired version. Mandrake
has released a repaired version for Mandrake Linux 10.0 and 10.1.

Vilistextum

The HTML-to-text converter Vilistextum is vulnerable to a buffer overflow
that, under certain conditions, can be exploited by a remote attacker and result
in arbitrary code being executed with the permissions of the victim. The buffer
overflow is in the get_attr() function contained in html.c.

Users should discontinue use of Vilistextum with untrusted data until a repaired
version has been installed.

libtiff

libtiff, a library that provides support for Tagged Image File Format (TIFF)
images, contains a bug in the code that processes images with the STRIPOFFSETS
flag and an additional buffer overflow. Under some conditions, both of these
bugs may be exploitable to execute arbitrary code.

Users should watch their vendors for a repaired version of the libtiff library
and any other applications that may have been statically linked against a vulnerable
version.

wxGTK2

The GTK2 version of the wxWidgets GUI toolkit is vulnerable to several buffer
overflows due to the inclusion of vulnerable code from the libtiff graphics
library. At least one of the vulnerabilities is reported to be remotely exploitable
and can result in code being executed on the victim's machine.

All users should watch their vendors for updated packages for the toolkit and
any other applications affected by this vulnerability.

phpGroupWare

phpGroupWare, a web-based application that includes tools including a calendar,
address book, to-do list, email, wiki, and news headline reader, is reported to be
vulnerable to multiple attacks. These vulnerabilities are reported to include
multiple SQL injection attacks, information disclosure vulnerabilities, and
multiple cross-site scripting-based attacks.

It is recommended that users upgrade to the latest version of phpGroupWare
or watch their vendors for an updated package. It is not clear if the latest
version of phpGroupWare repairs all of the disclosed vulnerabilities; users
should watch for future releases.

Vim (Vi Improved)

Vim is reported to be vulnerable to an attack that abuses Vim's modline feature
to execute arbitrary commands. An attacker conducts this attack by creating
and sending to the victim text that contains modlines that will execute when
the text it is edited with Vim. Any user who reads email messages or log files with
Vim should
exercise special care.

It is recommended that users upgrade to a version that has been patched with
Bram
Moolenaar's vim 6.3.045 patch as soon as possible. Adding the line set
modelines=0 to .vimrc may also disable the processing of modlines.

namazu2

namazu2 is a web-based, full-text search engine. It is vulnerable to a cross-site scripting-based attack where the attacker creates a payload script that
is indexed by namazu2 and then displayed unchanged (unsanitized) to the victim.
Cross-site scripting is a type of attack that uses a web application that does not
sanitize its input to pass a JavaScript, ActiveX, HTML, VBScript, Flash, or
other script to the victim. This script can conduct many different attacks,
such as account hijacking or gathering other information from the victim.

Affected users should watch their vendors for a repaired version of namazu2
or should upgrade to namazu 2.0.14 or newer as soon as possible.

htmlheadline

htmlheadline is vulnerable to a temporary-file, symbolic-link-based race condition
that may be exploited by a local user to write to arbitrary files on the system
with the permissions of the victim. htmlheadline is a script designed to fetch
headlines from web-based news sites.

Affected users should consider disabling htmlheadline until it has been repaired.